RANGER-5215 : Policy authorisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex

agents-common/pom.xml

@@ -171,6 +171,25 @@
             <artifactId>ranger-plugins-cred</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ugsync-util</artifactId>
+            <version>${project.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java

@@ -34,7 +34,6 @@
 import org.apache.ranger.plugin.util.RangerPolicyDeltaUtil;
 import org.apache.ranger.plugin.util.RangerReadWriteLock;
 import org.apache.ranger.plugin.util.RangerRoles;
-import org.apache.ranger.plugin.util.RangerUserStore;
 import org.apache.ranger.plugin.util.ServiceDefUtil;
 import org.apache.ranger.plugin.util.ServicePolicies;
 import org.apache.ranger.plugin.util.ServicePolicies.SecurityZoneInfo;
@@ -99,9 +98,7 @@ public PolicyEngine(ServicePolicies servicePolicies, RangerPluginContext pluginC
             }
         }
 
-        RangerAuthContext currAuthContext = pluginContext.getAuthContext();
-        RangerUserStore   userStore       = currAuthContext != null ? currAuthContext.getUserStoreUtil().getUserStore() : null;
-        RangerAuthContext authContext     = new RangerAuthContext(null, zoneMatcher, roles, userStore);
+        RangerAuthContext authContext = new RangerAuthContext(pluginContext.getAuthContext(), zoneMatcher, roles);
 
         this.pluginContext.setAuthContext(authContext);
 

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java

@@ -25,21 +25,47 @@
 import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.RangerSecurityZoneMatcher;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
 import org.apache.ranger.plugin.util.RangerRoles;
 import org.apache.ranger.plugin.util.RangerRolesUtil;
 import org.apache.ranger.plugin.util.RangerUserStore;
 import org.apache.ranger.plugin.util.RangerUserStoreUtil;
+import org.apache.ranger.ugsyncutil.transform.Mapper;
+import org.apache.ranger.ugsyncutil.util.UgsyncCommonConstants.CaseConversion;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
+import java.util.ArrayList;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
+import static org.apache.ranger.ugsyncutil.util.UgsyncCommonConstants.toCaseConversion;
+
 public class RangerAuthContext {
+    private static final Logger LOG = LoggerFactory.getLogger(RangerAuthContext.class);
+
     private final Map<RangerContextEnricher, Object> requestContextEnrichers;
     private final RangerSecurityZoneMatcher          zoneMatcher;
     private       RangerRolesUtil                    rolesUtil;
     private       RangerUserStoreUtil                userStoreUtil;
+    private       Mapper                             userNameTransformer;
+    private       Mapper                             groupNameTransformer;
+    private       CaseConversion                     userNameCaseConversion;
+    private       CaseConversion                     groupNameCaseConversion;
+
+    public RangerAuthContext(RangerAuthContext prevContext, RangerSecurityZoneMatcher zoneMatcher, RangerRoles roles) {
+        this(null, zoneMatcher, roles, prevContext != null ? prevContext.getUserStoreUtil().getUserStore() : null);
+
+        if (prevContext != null) {
+            this.userNameTransformer     = prevContext.userNameTransformer;
+            this.groupNameTransformer    = prevContext.groupNameTransformer;
+            this.userNameCaseConversion  = prevContext.userNameCaseConversion;
+            this.groupNameCaseConversion = prevContext.groupNameCaseConversion;
+        }
+    }
 
     public RangerAuthContext(Map<RangerContextEnricher, Object> requestContextEnrichers, RangerSecurityZoneMatcher zoneMatcher, RangerRoles roles, RangerUserStore userStore) {
         this.requestContextEnrichers = requestContextEnrichers != null ? requestContextEnrichers : new ConcurrentHashMap<>();
@@ -129,4 +155,118 @@ public RangerUserStoreUtil getUserStoreUtil() {
     public void setUserStore(RangerUserStore userStore) {
         this.userStoreUtil = new RangerUserStoreUtil(userStore);
     }
+
+    public Mapper getUserNameTransformer() {
+        return userNameTransformer;
+    }
+
+    public Mapper getGroupNameTransformer() {
+        return groupNameTransformer;
+    }
+
+    public CaseConversion getUserNameCaseConversion() {
+        return userNameCaseConversion;
+    }
+
+    public CaseConversion getGroupNameCaseConversion() {
+        return groupNameCaseConversion;
+    }
+
+    public void onServiceConfigsUpdate(Map<String, String> serviceConfigs) {
+        String userNameCaseConversion  = null;
+        String groupNameCaseConversion = null;
+        Mapper userNameTransformer     = null;
+        Mapper groupNameTransformer    = null;
+
+        if (MapUtils.isNotEmpty(serviceConfigs)) {
+            LOG.debug("==> onServiceConfigsUpdate({})", serviceConfigs.keySet());
+
+            userNameCaseConversion  = serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_USERNAME_CASE_CONVERSION_PARAM);
+            groupNameCaseConversion = serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_GROUPNAME_CASE_CONVERSION_PARAM);
+
+            String mappingUserNameHandler = serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_MAPPING_USERNAME_HANDLER);
+
+            if (mappingUserNameHandler != null) {
+                try {
+                    Class<Mapper> regExClass = (Class<Mapper>) Class.forName(mappingUserNameHandler);
+
+                    userNameTransformer = regExClass.newInstance();
+
+                    String baseProperty = RangerCommonConstants.PLUGINS_CONF_MAPPING_USERNAME;
+
+                    userNameTransformer.init(baseProperty, getAllRegexPatterns(baseProperty, serviceConfigs), serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_MAPPING_SEPARATOR));
+                } catch (ClassNotFoundException cne) {
+                    LOG.error("Failed to load {}", mappingUserNameHandler, cne);
+                } catch (Throwable te) {
+                    LOG.error("Failed to instantiate {}", mappingUserNameHandler, te);
+                }
+            }
+
+            String mappingGroupNameHandler = serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_MAPPING_GROUPNAME_HANDLER);
+
+            if (mappingGroupNameHandler != null) {
+                try {
+                    Class<Mapper> regExClass = (Class<Mapper>) Class.forName(mappingGroupNameHandler);
+
+                    groupNameTransformer = regExClass.newInstance();
+
+                    String baseProperty = RangerCommonConstants.PLUGINS_CONF_MAPPING_GROUPNAME;
+
+                    groupNameTransformer.init(baseProperty, getAllRegexPatterns(baseProperty, serviceConfigs), serviceConfigs.get(RangerCommonConstants.PLUGINS_CONF_MAPPING_SEPARATOR));
+                } catch (ClassNotFoundException cne) {
+                    LOG.error("Failed to load {}", mappingGroupNameHandler, cne);
+                } catch (Throwable te) {
+                    LOG.error("Failed to instantiate {}", mappingGroupNameHandler, te);
+                }
+            }
+        }
+
+        setUserNameCaseConversion(userNameCaseConversion);
+        setGroupNameCaseConversion(groupNameCaseConversion);
+        setUserNameTransformer(userNameTransformer);
+        setGroupNameTransformer(groupNameTransformer);
+    }
+
+    private void setUserNameTransformer(Mapper userNameTransformer) {
+        this.userNameTransformer = userNameTransformer;
+    }
+
+    private void setGroupNameTransformer(Mapper groupNameTransformer) {
+        this.groupNameTransformer = groupNameTransformer;
+    }
+
+    private void setUserNameCaseConversion(String userNameCaseConversion) {
+        this.userNameCaseConversion = toCaseConversion(userNameCaseConversion);
+    }
+
+    private void setGroupNameCaseConversion(String groupNameCaseConversion) {
+        this.groupNameCaseConversion = toCaseConversion(groupNameCaseConversion);
+    }
+
+    private List<String> getAllRegexPatterns(String baseProperty, Map<String, String> serviceConfig) {
+        LOG.debug("==> getAllRegexPatterns({})", baseProperty);
+
+        List<String> regexPatterns = new ArrayList<>();
+        String       baseRegex     = serviceConfig != null ? serviceConfig.get(baseProperty) : null;
+
+        LOG.debug("baseRegex = {}, pluginConfig = {}", baseRegex, serviceConfig == null ? null : serviceConfig.keySet());
+
+        if (baseRegex != null) {
+            regexPatterns.add(baseRegex);
+
+            for (int i = 1; true; i++) {
+                String nextRegex = serviceConfig.get(baseProperty + "." + i);
+
+                if (nextRegex == null) {
+                    break;
+                }
+
+                regexPatterns.add(nextRegex);
+            }
+        }
+
+        LOG.debug("<== getAllRegexPatterns({}): ret={}", baseProperty, regexPatterns);
+
+        return regexPatterns;
+    }
 }

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java

@@ -83,6 +83,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 
 public class RangerBasePlugin {
@@ -208,7 +209,6 @@ public RangerBasePlugin(RangerPluginConfig pluginConfig, ServicePolicies policie
         this(pluginConfig);
 
         init();
-
         setPolicies(policies);
         setRoles(roles);
 
@@ -442,8 +442,6 @@ public long getUserStoreVersion() {
     public void setPolicies(ServicePolicies policies) {
         LOG.debug("==> setPolicies({})", policies);
 
-        this.serviceConfigs = (policies != null && policies.getServiceConfig() != null) ? policies.getServiceConfig() : new HashMap<>();
-
         if (pluginConfig.isEnableImplicitUserStoreEnricher() && policies != null && !ServiceDefUtil.isUserStoreEnricherPresent(policies)) {
             String retrieverClassName = pluginConfig.get(RangerUserStoreEnricher.USERSTORE_RETRIEVER_CLASSNAME_OPTION, RangerAdminUserStoreRetriever.class.getCanonicalName());
             String retrieverPollIntMs = pluginConfig.get(RangerUserStoreEnricher.USERSTORE_REFRESHER_POLLINGINTERVAL_OPTION, Integer.toString(60 * 1000));
@@ -583,6 +581,8 @@ public void setPolicies(ServicePolicies policies) {
                         newPolicyEngine.setTrustedProxyAddresses(pluginConfig.getTrustedProxyAddresses());
                     }
 
+                    setServiceConfigs(policies.getServiceConfig());
+
                     LOG.info("Switching policy engine from [{}]", getPolicyVersion());
                     this.policyEngine = newPolicyEngine;
                     LOG.info("Switched policy engine to [{}]", getPolicyVersion());
@@ -887,7 +887,7 @@ public Set<RangerRole> getRangerRoleForPrincipal(String principal, String type)
         RangerPolicyEngine       policyEngine = this.policyEngine;
         RangerRoles              roles        = policyEngine != null ? policyEngine.getRangerRoles() : null;
         Set<RangerRole>          rangerRoles  = roles != null ? roles.getRangerRoles() : null;
-        Map<String, Set<String>> roleMapping = null;
+        Map<String, Set<String>> roleMapping  = null;
 
         if (rangerRoles != null) {
             RangerPluginContext rangerPluginContext = policyEngine.getPluginContext();
@@ -1199,6 +1199,18 @@ protected RangerPolicyEngine getPolicyEngine() {
         return policyEngine;
     }
 
+    private void setServiceConfigs(Map<String, String> serviceConfigs) {
+        Map<String, String> oldServiceConfigs = this.serviceConfigs;
+
+        this.serviceConfigs = serviceConfigs != null ? serviceConfigs : new HashMap<>();
+
+        RangerAuthContext authContext = this.pluginContext.getAuthContext();
+
+        if (authContext != null && !Objects.equals(oldServiceConfigs, this.serviceConfigs)) {
+            authContext.onServiceConfigsUpdate(this.serviceConfigs);
+        }
+    }
+
     private void auditGrantRevoke(GrantRevokeRequest request, String action, boolean isSuccess, RangerAccessResultProcessor resultProcessor) {
         if (request != null && resultProcessor != null) {
             RangerAccessRequestImpl accessRequest = new RangerAccessRequestImpl();

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java

@@ -31,15 +31,20 @@
 import org.apache.ranger.plugin.policyengine.RangerMutableResource;
 import org.apache.ranger.plugin.policyengine.RangerPluginContext;
 import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
 import org.apache.ranger.plugin.util.RangerUserStoreUtil;
+import org.apache.ranger.ugsyncutil.transform.Mapper;
+import org.apache.ranger.ugsyncutil.util.UgsyncCommonConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 public class RangerDefaultRequestProcessor implements RangerAccessRequestProcessor {
     private static final Logger LOG                              = LoggerFactory.getLogger(RangerDefaultRequestProcessor.class);
@@ -98,6 +103,17 @@ public void preProcess(RangerAccessRequest request) {
                     reqImpl.setClusterType(pluginContext.getClusterType());
                 }
 
+                RangerPluginConfig config = policyEngine.getPluginContext().getConfig();
+
+                boolean isNameTransformationSupported = config.getBoolean(config.getPropertyPrefix() + RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_NAME_TRANSFORMATION, false);
+
+                LOG.debug("isNameTransformationSupported = {}", isNameTransformationSupported);
+
+                if (isNameTransformationSupported) {
+                    reqImpl.setUser(getTransformedUser(policyEngine, request));
+                    reqImpl.setUserGroups(getTransformedGroups(policyEngine, request));
+                }
+
                 convertEmailToUsername(reqImpl);
 
                 updateUserGroups(reqImpl);
@@ -157,6 +173,65 @@ public void enrich(RangerAccessRequest request) {
         }
     }
 
+    private String getTransformedUser(PolicyEngine policyEngine, RangerAccessRequest request) {
+        RangerAuthContext authContext     = policyEngine.getPluginContext().getAuthContext();
+        boolean           toLowerCase     = authContext.getUserNameCaseConversion() == UgsyncCommonConstants.CaseConversion.TO_LOWER;
+        boolean           toUpperCase     = authContext.getUserNameCaseConversion() == UgsyncCommonConstants.CaseConversion.TO_UPPER;
+        Mapper            nameTransformer = authContext.getUserNameTransformer();
+
+        if (toLowerCase || toUpperCase || nameTransformer != null) {
+            String user = request.getUser();
+
+            if (toLowerCase) {
+                user = user.toLowerCase();
+            } else if (toUpperCase) {
+                user = user.toUpperCase();
+            }
+
+            if (nameTransformer != null) {
+                user = nameTransformer.transform(user);
+            }
+
+            LOG.debug("Original username = {}, Transformed username = {}", request.getUser(), user);
+
+            return user;
+        }
+
+        return request.getUser();
+    }
+
+    private Set<String> getTransformedGroups(PolicyEngine policyEngine, RangerAccessRequest request) {
+        if (CollectionUtils.isNotEmpty(request.getUserGroups())) {
+            RangerAuthContext authContext     = policyEngine.getPluginContext().getAuthContext();
+            boolean           toLowerCase     = authContext.getGroupNameCaseConversion() == UgsyncCommonConstants.CaseConversion.TO_LOWER;
+            boolean           toUpperCase     = authContext.getGroupNameCaseConversion() == UgsyncCommonConstants.CaseConversion.TO_UPPER;
+            Mapper            nameTransformer = authContext.getGroupNameTransformer();
+
+            if (toLowerCase || toUpperCase || nameTransformer != null) {
+                return request.getUserGroups().stream()
+                        .filter(Objects::nonNull)
+                        .map(group -> {
+                            String originalGroup = group;
+
+                            if (toLowerCase) {
+                                group = group.toLowerCase();
+                            } else if (toUpperCase) {
+                                group = group.toUpperCase();
+                            }
+
+                            String transformedGroup = nameTransformer.transform(group);
+
+                            LOG.debug("Original group name = {}, Transformed group name = {}", originalGroup, transformedGroup);
+
+                            return transformedGroup;
+                        })
+                        .collect(Collectors.toSet());
+            }
+        }
+
+        return request.getUserGroups();
+    }
+
     private void setResourceServiceDef(RangerAccessRequest request) {
         RangerAccessResource resource = request.getResource();